github.com/rigado/snapd@v2.42.5-go-mod+incompatible/data/selinux/snappy.if (about) 1 # This file is part of snapd-selinux 2 # Skeleton derived from Fedora selinux-policy, Copyright (C) 2016 Red Hat, Inc. 3 # Copyright (C) 2016 Neal Gompa 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or 8 # (at your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU Library General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 19 20 ######################################## 21 ## <summary> 22 ## Execute snapd in the snappy domain. 23 ## </summary> 24 ## <param name="domain"> 25 ## <summary> 26 ## Domain allowed to transition. 27 ## </summary> 28 ## </param> 29 # 30 interface(`snappy_domtrans',` 31 gen_require(` 32 type snappy_t, snappy_exec_t; 33 ') 34 35 corecmd_search_bin($1) 36 domtrans_pattern($1, snappy_exec_t, snappy_t) 37 ') 38 39 ####################################### 40 ## <summary> 41 ## Execute snapd server in the snappy domain. 42 ## </summary> 43 ## <param name="domain"> 44 ## <summary> 45 ## Domain allowed to transition. 46 ## </summary> 47 ## </param> 48 # 49 interface(`snappy_systemctl',` 50 gen_require(` 51 type snappy_t; 52 type snappy_unit_file_t; 53 ') 54 55 systemd_exec_systemctl($1) 56 init_reload_services($1) 57 allow $1 snappy_unit_file_t:unix_stream_socket create_stream_socket_perms; 58 allow $1 snappy_unit_file_t:file read_file_perms; 59 allow $1 snappy_unit_file_t:service manage_service_perms; 60 61 ps_process_pattern($1, snappy_t) 62 ') 63 64 65 ######################################## 66 ## <summary> 67 ## Permit the reading of snapd config files 68 ## </summary> 69 ## <param name="domain"> 70 ## <summary> 71 ## Domain allowed to access. 72 ## </summary> 73 ## </param> 74 # 75 interface(`snappy_read_config',` 76 gen_require(` 77 type snappy_config_t; 78 ') 79 80 files_search_etc($1) 81 allow $1 snappy_config_t:dir list_dir_perms; 82 allow $1 snappy_config_t:file read_file_perms; 83 allow $1 snappy_config_t:lnk_file read_lnk_file_perms; 84 ') 85 86 87 ######################################## 88 ## <summary> 89 ## Create snappy content in the user home directory 90 ## with an correct label. 91 ## </summary> 92 ## <param name="domain"> 93 ## <summary> 94 ## Domain allowed access. 95 ## </summary> 96 ## </param> 97 # 98 interface(`snappy_filetrans_home_content',` 99 100 gen_require(` 101 type snappy_home_t; 102 ') 103 104 userdom_user_home_dir_filetrans($1, snappy_home_t, dir, "snap") 105 ') 106 107 108 ######################################## 109 ## <summary> 110 ## Read snappy home directory content 111 ## </summary> 112 ## <param name="domain"> 113 ## <summary> 114 ## Domain allowed access. 115 ## </summary> 116 ## </param> 117 # 118 interface(`snappy_read_user_home_files',` 119 gen_require(` 120 type snappy_home_t; 121 ') 122 123 allow $1 snappy_home_t:dir list_dir_perms; 124 allow $1 snappy_home_t:file read_file_perms; 125 allow $1 snappy_home_t:lnk_file read_lnk_file_perms; 126 userdom_search_user_home_dirs($1) 127 ') 128 129 ######################################## 130 ## <summary> 131 ## Write snappy home directory content 132 ## </summary> 133 ## <param name="domain"> 134 ## <summary> 135 ## Domain allowed access. 136 ## </summary> 137 ## </param> 138 # 139 interface(`snappy_write_user_home_files',` 140 gen_require(` 141 type snappy_home_t; 142 ') 143 144 write_files_pattern($1, snappy_home_t, snappy_home_t) 145 userdom_search_user_home_dirs($1) 146 ') 147 148 ######################################## 149 ## <summary> 150 ## Dontaudit attempts to read/write snappy home directory content 151 ## </summary> 152 ## <param name="domain"> 153 ## <summary> 154 ## Domain to not audit. 155 ## </summary> 156 ## </param> 157 # 158 interface(`snappy_dontaudit_rw_user_home_files',` 159 gen_require(` 160 type snappy_home_t; 161 ') 162 163 dontaudit $1 snappy_home_t:file rw_inherited_file_perms; 164 ') 165 166 ######################################## 167 ## <summary> 168 ## Dontaudit attempts to write snappy home directory content 169 ## </summary> 170 ## <param name="domain"> 171 ## <summary> 172 ## Domain to not audit. 173 ## </summary> 174 ## </param> 175 # 176 interface(`snappy_dontaudit_manage_user_home_files',` 177 gen_require(` 178 type snappy_home_t; 179 ') 180 181 dontaudit $1 snappy_home_t:dir manage_dir_perms; 182 dontaudit $1 snappy_home_t:file manage_file_perms; 183 ') 184 185 ######################################## 186 ## <summary> 187 ## Connect to snapd over a unix stream socket. 188 ## </summary> 189 ## <param name="domain"> 190 ## <summary> 191 ## Domain allowed access. 192 ## </summary> 193 ## </param> 194 # 195 interface(`snappy_stream_connect',` 196 gen_require(` 197 type snappy_t, snappy_var_run_t; 198 ') 199 200 files_search_pids($1) 201 stream_connect_pattern($1, snappy_var_run_t, snappy_var_run_t, snappy_t) 202 ') 203 204 ####################################### 205 ## <summary> 206 ## All of the rules required to 207 ## administrate a snappy environment. 208 ## </summary> 209 ## <param name="domain"> 210 ## <summary> 211 ## Domain allowed access. 212 ## </summary> 213 ## </param> 214 ## <param name="role"> 215 ## <summary> 216 ## Role allowed access. 217 ## </summary> 218 ## </param> 219 ## <rolecap/> 220 # 221 interface(`snappy_admin',` 222 gen_require(` 223 type snappy_t, snappy_config_t; 224 type snappy_var_run_t; 225 ') 226 227 allow $1 snappy_t:process signal_perms; 228 229 ps_process_pattern($1, snappy_t); 230 231 admin_pattern($1, snappy_config_t); 232 233 files_list_pids($1, snappy_var_run_t); 234 admin_pattern($1, snappy_var_run_t); 235 ') 236 237 ######################################## 238 ## <summary> 239 ## Execute snappy CLI in the snappy_cli_t domain. 240 ## </summary> 241 ## <param name="domain"> 242 ## <summary> 243 ## Domain allowed to transition. 244 ## </summary> 245 ## </param> 246 # 247 interface(`snappy_cli_domtrans',` 248 gen_require(` 249 type snappy_cli_t, snappy_cli_exec_t; 250 ') 251 252 corecmd_search_bin($1) 253 domtrans_pattern($1, snappy_cli_exec_t, snappy_cli_t) 254 ') 255 256 ######################################## 257 ## <summary> 258 ## Execute snap-confine in the snappy_confine_t domain. 259 ## </summary> 260 ## <param name="domain"> 261 ## <summary> 262 ## Domain allowed to transition. 263 ## </summary> 264 ## </param> 265 # 266 interface(`snappy_confine_domtrans',` 267 gen_require(` 268 type snappy_confine_t, snappy_confine_exec_t; 269 ') 270 271 corecmd_search_bin($1) 272 domtrans_pattern($1, snappy_confine_exec_t, snappy_confine_t) 273 ') 274 275 ######################################## 276 ## <summary> 277 ## Execute snap-update-ns, snap-discard-ns in the snappy_mount_t domain. 278 ## </summary> 279 ## <param name="domain"> 280 ## <summary> 281 ## Domain allowed to transition. 282 ## </summary> 283 ## </param> 284 # 285 interface(`snappy_mount_domtrans',` 286 gen_require(` 287 type snappy_mount_t, snappy_mount_exec_t; 288 ') 289 290 corecmd_search_bin($1) 291 domtrans_pattern($1, snappy_mount_exec_t, snappy_mount_t) 292 ')